Solved

Active Directory Remote Users Prevent Cache Logon

Posted on 2014-03-20
4
495 Views
Last Modified: 2014-03-26
Hello all,
I have been asked to find a solution for securing corporate PC information from access of remote personnel upon their termination, we are using VPN.
Basically, if the business terminates an employee they want to ensure the user will not be able to log in to the Laptop they were issued, and no longer onto the domain. The domain side is the easy part but how would I immediately be able to reach out and secure the machines for these remote users, so they can no longer log in with the cached credentials?
I was told of a way via SCCM that may facilitate but can find nothing related.
Please, any direction and help is appreciated because I do not want to be the next to be released here.

Kry
0
Comment
Question by:kryanC
  • 2
4 Comments
 
LVL 16

Assisted Solution

by:R. Andrew Koffron
R. Andrew Koffron earned 334 total points
ID: 39943104
just need to set a group policy, and join the machines to the Domain prior to deployment,

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

 Network Access:
Do not allow storage of credentials or .NET Passports for network authentication

if you can recall machines pretty easy plug em in and force a gpupdate.  if they remain external I don't know how to fire it retroactively to external VPN clients I'm not sure, I'd think you'd have to create a local GPO update and a script to download it each machine and fire it locally. I've never had any consistent success getting things to work over VPN.

but going forward just make sure your initial deployment stops cacheing
0
 
LVL 36

Assisted Solution

by:Mahesh
Mahesh earned 166 total points
ID: 39943510
The above setting will stop cached login for working employees as well in home

Once you disabled user account for terminated user, make sure that you have disabled its mailbox, emails and any other logins (VPN, internet data card etc) it might have immediately

Now even if user is able to login offline with cached credentials, it can't do any thing practically
0
 
LVL 16

Accepted Solution

by:
R. Andrew Koffron earned 334 total points
ID: 39943612
keep in mind that policy changes need to be made updated by the log in process, so remote machines have already authenticated. when they get to the VPN stage, and If you remove caching, you'll need to set them to use a VPN/Dial-up in order to boot up/login, Prior to logging into the remote machine, and that will ONLY work when their internet connection is on and VPN is up and running, and may render machines completely useless unless each machine has a local profile, and a local profile wouldn't apply a domain Policy.

sort of a catch 22 I don't know a good way around it either.
0
 

Author Closing Comment

by:kryanC
ID: 39956960
Thanks to all. Catch 22 is the best way of illustrating how to force it and kill there ability to work offline at the same time if I want to protect the data.
If anyone has a third party solution or any other ideas I would be interested because the "business" says that they are sure there is such a solution but can't remember what it is.
Thanks again,

Kry
0

Featured Post

ScreenConnect 6.0 Free Trial

Want empowering updates? You're in the right place! Discover new features in ScreenConnect 6.0, based on partner feedback, to keep you business operating smoothly and optimally (the way it should be). Explore all of the extras and enhancements for yourself!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Like many organizations, your foray into cloud computing may have started with an ancillary or security service, like email spam and virus protection. For some, the first or second step into the cloud was moving email off-premise. For others, a clou…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question